Verwaltung des Blogs

Samstag, 30. Januar 2016

We provide shared hosting for a huge number of non-profit organizations located at our university. We have been using haproxy and multiple web-nodes for load balancing and reliability ever since our service is used by more and more organizations.

Over the last few weeks we have observed that one of our hosted websites (medienbewusst.de) regularly comes under DoS attacks. This is incredibly annoying and we have now started to investigate this issue in more detail.

All requests are generated by one or multiple-source ip address(es), which always belong to the network of a single company. The attack pattern is almost always identical: First there is a request by a well-known User-Agent (e.g. Firefox 38), which is followed by more than 1500 requests in approximately 3 or 4 minutes, to name one example. These all have the same User-Agent: "Mozilla/4.0 (compatible;)".

After talking to a technician, who is responsible for one of these company networks, it turned out that the company uses proxy appliances build by Blue Coat. Their proxy seemingly prefetches the whole webpage really fast, which causes a DoS in association with the used content management system. Users in blogs and forums report that this is typical for Blue Coat proxies and the requests can be identified by the HTTP-Header "HTTP_X_BLUECOAT_VIA" next to the User-Agent.

We now prohibit the requests on our HAProxy-Loadbalancers with the following configuration:

<html> <head> <title>503 - Service Unavailable</title> </head> <body> <h1>Your request was blocked.</h1> The proxy you are using prefetches the whole webpage with a very high rate per second. To prevent this DoS attack your request was blocked. <br /> Please contact your IT Administrator. </body> </html>